Re: Providing qemu-guest-agent in our images

[Michael Tokarev <mjt@tls.msk.ru>]

19.02.2019 4:56, Marco d'Itri wrote:
> On Feb 10, Bastian Blank <waldi@debian.org> wrote:
>
> > On Thu, Feb 07, 2019 at 03:49:55PM +0100, Marco d'Itri wrote:
> > > OTOH by default it allows the host to read/write files in the guest, so
> > > it should be installed with a sensible blacklist in
> > > /etc/default/qemu-guest-agent .
> > What blacklist?  I was unable to find any evidence of a blacklist on
> > filename in the code.
> Indeed our qemu agent package does not have one, but e.g. RHEL and
> Ubuntu do:
>
> http://manpages.ubuntu.com/manpages/cosmic/man8/qemu-ga.8.html

I'm not sure I understood your question. Ubuntu uses the same package
as Debian, RHEL comes from the same codebase, and the same manual page
exists on Debian too, and this manpage hasn't been changed (besides
minor tweaks) since its addition in 2015.

Ubuntu package does not have a blacklist file for qemu-ga, Debian does
not have it too, since it is the same package. Qemu-ga can use a blacklist
if told to be so.

> Maybe the qemu maintainer knows more?

What's the question really?? :)

Speaking of a qemu-ga blacklist, -- well, from the host side of view
such a blacklist is more or less pointless, since host can even trace
every cpu instruction a guest does, if host wants to see files on the
guest it's not a problem at all, it have full access to everything.

What blacklist is "sensible" from your PoV?

Thanks,

/mjt